IT modernization and the shift to remote work have presented unique security challenges for government agencies, especially those shifting to the cloud for greater agility. But attacks aren’t slowing down. Web applications built and managed by the government are under fire, and the numbers are alarming. According to Invicti Security, 86% of federal cybersecurity leaders have experienced a breach originating in a web application in the past year.
Web applications are core to how government agencies operate as they store critical, sensitive data, which presents a risk if left unchecked and unsecured. It’s a mounting security issue that agencies need to keep an eye on; as the number of applications increases, so do ransomware and cyber threats. This uptick of attacks on web applications serves as a stark reminder to government leaders that subpar security strategies can lead to breaches when vulnerabilities are missed – even low-risk applications introduce an entry point for bad actors to carry out their exploits.
Agencies like the Health Resources and Services Administration (HRSA) are tackling new security protocols to mitigate threats, according to CISO Nick Lewis in a new FedScoop interview. He highlights the various tools HRSA uses to identify vulnerabilities, including static application security testing (SAST), interactive application security testing (IAST) and dynamic application security testing (DAST). With DAST as a key player in security strategy, federal agencies have greater clarity into the behavior of their web apps and can more easily identify where threats are throughout the software development lifecycle (SDLC).
“OpSec is a critical part of the national security strategy, and there is a realization that applications are the new perimeter. DAST is a great strategy for defining what your perimeter looks like, measuring your security posture and determining your agency’s resilience to threats,” adds Invicti Security’s VP of Professional Services, Mark Townsend. Although there are several solutions for testing, the ultimate goal is to secure web applications and keep them secure.
Additionally, the push for meeting zero trust federal mandates – coupled with modernizing legacy systems and processes – is a major driving force for web application security. Lewis shares his insights on the federal directives that were most helpful in kick-starting HRSA’s security strategies for modernization and getting them to where they are today in their journey, including the Continuous Diagnostics and Mitigation (CDM) Program.
“[CDM] opened the door to us moving forward in getting the tools necessary to secure the environment. And by leveraging CDM tools, we were able to start the process of meeting the zero-trust initiative by DHS providing an endpoint detection and response tool,” Lewis says. He also highlights how the OMB’s M-22-09 “Moving the U.S. Government Toward Zero Trust Cybersecurity Principle” helped redefine what security means within the federal government and was a “game changer.”
Establishing zero-trust operating environments means agencies must have the proper tools with the correct features and fully understand their entire attack surface. However, “Zero trust is a journey,” says Townsend. He stresses why “continuously securing users that work in applications, keeping an inventory of internal and external applications up to date, along with a software bill of materials is absolutely critical.”
Agencies have the opportunity to reevaluate their structures and processes to address modernization efforts. “As we are looking ahead, one of the challenges is that it’s not just tools we’ll need to make this journey. We have to augment our staff and make sure that we’re getting the right people…using the right tools to meet all zero trust requirements,” says Lewis. If federal agencies are secure, they can remain mission-ready in an evolving, modern environment.
Watch the full interview to hear more from the executives. Learn more about creating a strategy for security – now and into the future with Invicti.
This video panel discussion was produced by Scoop News Group and FedScoop and underwritten by Invicti Security.